Mozilla has released emergency fixes for two critical vulnerabilities in Firefox that have been actively exploited by attackers.
Both of the vulnerabilities are use-after-free flaws in the browser, one in the nsDocShell destructor service and the other in the ReadableStream class. Mozilla released version 74.01 of Firefox on April 3 to fix both vulnerabilities. The company said that attackers have exploited both flaws in targeted attacks, but didn’t provide any more information.
However, one of the researchers who discovered the vulnerabilities and reported them to Mozilla said more details will be forthcoming.
“Mind blowing the work of Mozilla Security folks, racing against time and taking the necessary measures at this difficult time to fix and release,” Francisco Alonso said on Twitter Friday.
“There is still lots of work to do and more details to be published (including other browsers). Stay tuned.”
One of the other browsers that’s affected is the Tor Browser, which is based on Firefox. The Tor Project released version 9.08 of the privacy focused browser on Friday to fix the two Firefox vulnerabilities.
This is the second time this year that Mozilla has warned users about a vulnerability that was under active exploitation. In January, the company issued an emergency patch for a vulnerability in the IonMonkey just-in-time compiler in Firefox that attackers were exploiting.
Firefox users should install the update as soon as possible to protect against the active attacks.